Merge pull request 'Fix CLAUDE.md: correct binary names and build targets' (#2 ) from fix/claude-md-factual-errors into master

Fix CLAUDE.md: correct binary names and build targets
- Fix cmd/mcr/ to cmd/mcrsrv/ (actual directory name) - Fix make mcr to make mcrsrv, add mcr-web and mcrctl targets - Add cmd/mcrctl/ to package structure Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 22:20:23 +00:00 · 2026-04-02 15:14:43 -07:00 · 2026-04-01 19:39:00 -07:00 · 2026-04-01 17:02:23 -07:00 · 2026-03-31 14:55:46 -07:00 · 2026-03-30 16:40:25 -07:00
14 changed files with 235 additions and 19 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -12,7 +12,9 @@ MCR (Metacircular Container Registry) is a container registry service integrated

 ```bash
 make all          # vet → lint → test → build
-make mcr          # build binary with version injection
+make mcrsrv       # build API server binary with version injection
+make mcr-web      # build web UI binary with version injection
+make mcrctl       # build admin CLI binary
 make build        # compile all packages
 make test         # run all tests
 make vet          # go vet
@@ -53,8 +55,9 @@ go test ./internal/server -run TestPushManifest

 ## Package Structure

- `cmd/mcr/` — CLI entry point (cobra subcommands: server, init, status, snapshot)
+- `cmd/mcrsrv/` — API server entry point (cobra subcommands: server, init, status, snapshot)
 - `cmd/mcr-web/` — Web UI entry point
+- `cmd/mcrctl/` — Admin CLI entry point
 - `internal/auth/` — MCIAS integration (token validation, 30s cache by SHA-256)
 - `internal/config/` — TOML config loading and validation
 - `internal/db/` — SQLite setup, migrations (idempotent, tracked in `schema_migrations`)
--- a/cmd/mcrctl/client.go
+++ b/cmd/mcrctl/client.go
@@ -62,10 +62,14 @@ func newClient(serverURL, grpcAddr, token, caCertFile string) (*apiClient, error

 	if grpcAddr != "" {
 		creds := credentials.NewTLS(tlsCfg)
-		cc, err := grpc.NewClient(grpcAddr,
+		dialOpts := []grpc.DialOption{
 			grpc.WithTransportCredentials(creds),
 			grpc.WithDefaultCallOptions(grpc.ForceCodecV2(mcrv1.JSONCodec{})),
-		)
+		}
+		if token != "" {
+			dialOpts = append(dialOpts, grpc.WithPerRPCCredentials(bearerToken(token)))
+		}
+		cc, err := grpc.NewClient(grpcAddr, dialOpts...)
 		if err != nil {
 			return nil, fmt.Errorf("grpc dial: %w", err)
 		}
@@ -91,6 +95,16 @@ func (c *apiClient) useGRPC() bool {
 	return c.grpcConn != nil
 }

+// bearerToken implements grpc.PerRPCCredentials, injecting the
+// Authorization header into every gRPC call.
+type bearerToken string
+
+func (t bearerToken) GetRequestMetadata(_ context.Context, _ ...string) (map[string]string, error) {
+	return map[string]string{"authorization": "Bearer " + string(t)}, nil
+}
+
+func (t bearerToken) RequireTransportSecurity() bool { return true }
+
 // apiError is the JSON error envelope returned by the REST API.
 type apiError struct {
 	Error string `json:"error"`
--- a/cmd/mcrctl/config.go
+++ b/cmd/mcrctl/config.go
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	toml "github.com/pelletier/go-toml/v2"
+)
+
+// config holds CLI defaults loaded from a TOML file.
+type config struct {
+	Server string `toml:"server"`
+	GRPC   string `toml:"grpc"`
+	Token  string `toml:"token"`
+	CACert string `toml:"ca_cert"`
+}
+
+// loadConfig reads a TOML config file from the given path. If path is
+// empty it searches the default location (~/.config/mcrctl.toml). A
+// missing file at the default location is not an error — an explicit
+// --config path that doesn't exist is.
+func loadConfig(path string) (config, error) {
+	explicit := path != ""
+	if !explicit {
+		path = defaultConfigPath()
+	}
+
+	data, err := os.ReadFile(path) //nolint:gosec // operator-supplied config path
+	if err != nil {
+		if !explicit && os.IsNotExist(err) {
+			return config{}, nil
+		}
+		return config{}, fmt.Errorf("reading config: %w", err)
+	}
+
+	var cfg config
+	if err := toml.Unmarshal(data, &cfg); err != nil {
+		return config{}, fmt.Errorf("parsing config %s: %w", path, err)
+	}
+	return cfg, nil
+}
+
+// defaultConfigPath returns ~/.config/mcrctl.toml, respecting
+// XDG_CONFIG_HOME if set.
+func defaultConfigPath() string {
+	dir := os.Getenv("XDG_CONFIG_HOME")
+	if dir == "" {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return "mcrctl.toml"
+		}
+		dir = filepath.Join(home, ".config")
+	}
+	return filepath.Join(dir, "mcrctl.toml")
+}
--- a/cmd/mcrctl/config_test.go
+++ b/cmd/mcrctl/config_test.go
@@ -0,0 +1,93 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestLoadConfigExplicitPath(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "mcrctl.toml")
+	data := []byte(`server = "https://reg.example.com"
+grpc   = "reg.example.com:9443"
+token  = "file-token"
+ca_cert = "/path/to/ca.pem"
+`)
+	if err := os.WriteFile(path, data, 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	cfg, err := loadConfig(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if cfg.Server != "https://reg.example.com" {
+		t.Errorf("Server = %q, want %q", cfg.Server, "https://reg.example.com")
+	}
+	if cfg.GRPC != "reg.example.com:9443" {
+		t.Errorf("GRPC = %q, want %q", cfg.GRPC, "reg.example.com:9443")
+	}
+	if cfg.Token != "file-token" {
+		t.Errorf("Token = %q, want %q", cfg.Token, "file-token")
+	}
+	if cfg.CACert != "/path/to/ca.pem" {
+		t.Errorf("CACert = %q, want %q", cfg.CACert, "/path/to/ca.pem")
+	}
+}
+
+func TestLoadConfigMissingDefaultIsOK(t *testing.T) {
+	// Point XDG_CONFIG_HOME at an empty dir so we don't find the real config.
+	t.Setenv("XDG_CONFIG_HOME", t.TempDir())
+
+	cfg, err := loadConfig("")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cfg.Server != "" || cfg.GRPC != "" || cfg.Token != "" {
+		t.Errorf("expected zero config from missing default, got %+v", cfg)
+	}
+}
+
+func TestLoadConfigMissingExplicitIsError(t *testing.T) {
+	_, err := loadConfig("/nonexistent/mcrctl.toml")
+	if err == nil {
+		t.Fatal("expected error for missing explicit config path")
+	}
+}
+
+func TestLoadConfigInvalidTOML(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "bad.toml")
+	if err := os.WriteFile(path, []byte("not valid [[[ toml"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	_, err := loadConfig(path)
+	if err == nil {
+		t.Fatal("expected error for invalid TOML")
+	}
+}
+
+func TestLoadConfigPartial(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "mcrctl.toml")
+	data := []byte(`server = "https://reg.example.com"
+`)
+	if err := os.WriteFile(path, data, 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	cfg, err := loadConfig(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if cfg.Server != "https://reg.example.com" {
+		t.Errorf("Server = %q, want %q", cfg.Server, "https://reg.example.com")
+	}
+	if cfg.GRPC != "" {
+		t.Errorf("GRPC should be empty, got %q", cfg.GRPC)
+	}
+}
--- a/cmd/mcrctl/main.go
+++ b/cmd/mcrctl/main.go
@@ -18,6 +18,7 @@ var version = "dev"

 // Global flags, resolved in PersistentPreRunE.
 var (
+	flagConfig string
 	flagServer string
 	flagGRPC   string
 	flagToken  string
@@ -32,15 +33,27 @@ func main() {
 		Use:     "mcrctl",
 		Short:   "Metacircular Container Registry admin CLI",
 		Version: version,
-		PersistentPreRunE: func(_ *cobra.Command, _ []string) error {
-			// Resolve token: flag overrides env.
-			token := flagToken
-			if token == "" {
-				token = os.Getenv("MCR_TOKEN")
+		PersistentPreRunE: func(cmd *cobra.Command, _ []string) error {
+			cfg, err := loadConfig(flagConfig)
+			if err != nil {
+				return err
 			}

-			var err error
-			client, err = newClient(flagServer, flagGRPC, token, flagCACert)
+			// Resolution order: flag > env > config file.
+			server := applyDefault(cmd, "server", flagServer, cfg.Server)
+			grpcAddr := applyDefault(cmd, "grpc", flagGRPC, cfg.GRPC)
+			caCert := applyDefault(cmd, "ca-cert", flagCACert, cfg.CACert)
+
+			token := flagToken
+			if !cmd.Flags().Changed("token") {
+				if envToken := os.Getenv("MCR_TOKEN"); envToken != "" {
+					token = envToken
+				} else if cfg.Token != "" {
+					token = cfg.Token
+				}
+			}
+
+			client, err = newClient(server, grpcAddr, token, caCert)
 			if err != nil {
 				return err
 			}
@@ -53,9 +66,10 @@ func main() {
 		},
 	}

+	root.PersistentFlags().StringVar(&flagConfig, "config", "", "config file (default ~/.config/mcrctl.toml)")
 	root.PersistentFlags().StringVar(&flagServer, "server", "", "REST API base URL (e.g. https://registry.example.com)")
 	root.PersistentFlags().StringVar(&flagGRPC, "grpc", "", "gRPC server address (e.g. registry.example.com:9443)")
-	root.PersistentFlags().StringVar(&flagToken, "token", "", "bearer token (fallback: MCR_TOKEN env)")
+	root.PersistentFlags().StringVar(&flagToken, "token", "", "bearer token (fallback: MCR_TOKEN env, config file)")
 	root.PersistentFlags().StringVar(&flagCACert, "ca-cert", "", "custom CA certificate PEM file")
 	root.PersistentFlags().BoolVar(&flagJSON, "json", false, "output as JSON instead of table")

@@ -740,6 +754,18 @@ func runSnapshot(_ *cobra.Command, _ []string) error {

 // ---------- helpers ----------

+// applyDefault returns the flag value if the flag was explicitly set on
+// the command line, otherwise falls back to the config file value.
+func applyDefault(cmd *cobra.Command, name, flagVal, cfgVal string) string {
+	if cmd.Flags().Changed(name) {
+		return flagVal
+	}
+	if cfgVal != "" {
+		return cfgVal
+	}
+	return flagVal
+}
+
 // confirmPrompt displays msg and waits for y/n from stdin.
 func confirmPrompt(msg string) bool {
 	fmt.Fprintf(os.Stderr, "%s [y/N] ", msg)
--- a/deploy/examples/mcrctl.toml
+++ b/deploy/examples/mcrctl.toml
@@ -0,0 +1,7 @@
+# mcrctl — Metacircular Container Registry CLI configuration.
+# Copy to ~/.config/mcrctl.toml and edit.
+
+server  = "https://registry.example.com:8443"   # REST API base URL
+grpc    = "registry.example.com:9443"            # gRPC server address (optional)
+token   = ""                                     # bearer token (MCR_TOKEN env overrides)
+ca_cert = ""                                     # custom CA certificate PEM file
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module git.wntrmute.dev/mc/mcr
 go 1.25.7

 require (
-	git.wntrmute.dev/mc/mcdsl v1.5.0
+	git.wntrmute.dev/mc/mcdsl v1.6.0
 	github.com/go-chi/chi/v5 v5.2.5
 	github.com/google/uuid v1.6.0
 	github.com/spf13/cobra v1.10.2
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,7 @@
 git.wntrmute.dev/mc/mcdsl v1.5.0 h1:JUlSYuvETRCycf+cZ56Gxp/1XZn0T7fOfWezM3m89qE=
 git.wntrmute.dev/mc/mcdsl v1.5.0/go.mod h1:MhYahIu7Sg53lE2zpQ20nlrsoNRjQzOJBAlCmom2wJc=
+git.wntrmute.dev/mc/mcdsl v1.6.0 h1:Vn1uy6b1yZ4Y8fsl1+kLucVprrFKlQ4SN2cjUH/Eg2k=
+git.wntrmute.dev/mc/mcdsl v1.6.0/go.mod h1:MhYahIu7Sg53lE2zpQ20nlrsoNRjQzOJBAlCmom2wJc=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
--- a/internal/webserver/auth.go
+++ b/internal/webserver/auth.go
@@ -133,8 +133,17 @@ func (s *Server) handleLoginSubmit(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, "/", http.StatusSeeOther)
 }

-// handleSSOLogin redirects the user to MCIAS for SSO login.
+// handleSSOLogin renders a landing page with a "Sign in" button that
+// initiates the SSO redirect to MCIAS.
 func (s *Server) handleSSOLogin(w http.ResponseWriter, r *http.Request) {
+	s.templates.render(w, "login", map[string]any{
+		"SSO":     true,
+		"Session": false,
+	})
+}
+
+// handleSSORedirect initiates the SSO redirect to MCIAS.
+func (s *Server) handleSSORedirect(w http.ResponseWriter, r *http.Request) {
 	if err := mcdsso.RedirectToLogin(w, r, s.ssoClient, "mcr"); err != nil {
 		log.Printf("sso: redirect to login: %v", err)
 		http.Error(w, "internal error", http.StatusInternalServerError)
--- a/internal/webserver/server.go
+++ b/internal/webserver/server.go
@@ -95,6 +95,7 @@ func (s *Server) buildRouter() chi.Router {
 	// Public routes (no session required).
 	if s.ssoClient != nil {
 		r.Get("/login", s.handleSSOLogin)
+		r.Get("/sso/redirect", s.handleSSORedirect)
 		r.Get("/sso/callback", s.handleSSOCallback)
 	} else {
 		r.Get("/login", s.handleLoginPage)
--- a/internal/webserver/server_test.go
+++ b/internal/webserver/server_test.go
@@ -245,8 +245,8 @@ func TestLoginPageRenders(t *testing.T) {
 	}

 	body := rec.Body.String()
-	if !strings.Contains(body, "MCR Login") {
-		t.Error("login page does not contain 'MCR Login'")
+	if !strings.Contains(body, "Metacircular Container Registry") {
+		t.Error("login page does not contain 'Metacircular Container Registry'")
 	}
 	if !strings.Contains(body, "_csrf") {
 		t.Error("login page does not contain CSRF token field")
--- a/vendor/git.wntrmute.dev/mc/mcdsl/sso/sso.go
+++ b/vendor/git.wntrmute.dev/mc/mcdsl/sso/sso.go
@@ -229,7 +229,7 @@ func ValidateStateCookie(w http.ResponseWriter, r *http.Request, prefix, querySt
 // redirect back to it after SSO login completes.
 func SetReturnToCookie(w http.ResponseWriter, r *http.Request, prefix string) {
 	path := r.URL.Path
-	if path == "" || path == "/login" || path == "/sso/callback" {
+	if path == "" || path == "/login" || strings.HasPrefix(path, "/sso/") {
 		path = "/"
 	}
 	http.SetCookie(w, &http.Cookie{
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1,4 +1,4 @@
-# git.wntrmute.dev/mc/mcdsl v1.5.0
+# git.wntrmute.dev/mc/mcdsl v1.6.0
 ## explicit; go 1.25.7
 git.wntrmute.dev/mc/mcdsl/auth
 git.wntrmute.dev/mc/mcdsl/config
--- a/web/templates/login.html
+++ b/web/templates/login.html
@@ -2,10 +2,14 @@

 {{define "content"}}
 <div class="login-container">
-    <h1>MCR Login</h1>
+    <h1>Metacircular Container Registry</h1>
    {{if .Error}}
    <div class="error">{{.Error}}</div>
    {{end}}
+    {{if .SSO}}
+    <p>Sign in to manage container images, policies, and audit logs.</p>
+    <a href="/sso/redirect" class="btn">Sign in with MCIAS</a>
+    {{else}}
    <form method="POST" action="/login">
        <input type="hidden" name="_csrf" value="{{.CSRFToken}}">
        <div class="form-group">
@@ -18,5 +22,6 @@
        </div>
        <button type="submit">Sign In</button>
    </form>
+    {{end}}
 </div>
 {{end}}
Author	SHA1	Message	Date
kyle	99817dc25d	Merge pull request 'Fix CLAUDE.md: correct binary names and build targets' (#2 ) from fix/claude-md-factual-errors into master	2026-04-02 22:20:23 +00:00
Kyle Isom	cf8011196f	Fix CLAUDE.md: correct binary names and build targets - Fix cmd/mcr/ to cmd/mcrsrv/ (actual directory name) - Fix make mcr to make mcrsrv, add mcr-web and mcrctl targets - Add cmd/mcrctl/ to package structure Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-02 15:14:43 -07:00
Kyle Isom	1f3bcd6b69	Fix gRPC auth: inject bearer token via PerRPCCredentials The gRPC client was not sending the authorization header, causing "missing authorization header" errors even when a token was configured. Also fix config test to isolate from real ~/.config/mcrctl.toml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-01 19:39:00 -07:00
Kyle Isom	0fe52afbb2	Add TOML config file support to mcrctl Loads defaults from ~/.config/mcrctl.toml (or XDG_CONFIG_HOME). Resolution order: flag > env (MCR_TOKEN) > config file. Adds --config flag to specify an explicit path. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-01 17:02:23 -07:00
Kyle Isom	bf206ae67c	Bump mcdsl to v1.6.0 (SSO redirect fix) Fixes SSO login redirect loop where the return-to cookie stored /sso/redirect, bouncing users back to MCIAS after successful login. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-31 14:55:46 -07:00
Kyle Isom	8eeab91cbd	Show SSO landing page instead of immediate redirect The login page now shows the service name and a "Sign in with MCIAS" button instead of immediately redirecting to MCIAS. This lets the user know what service they are logging into before the redirect. - GET /login renders the landing page with SSO button - GET /sso/redirect initiates the actual SSO redirect - Non-SSO login form still works when SSO is not configured Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 16:40:25 -07:00